-   Linux - Security (
-   -   Chkroot scan - /sbin/init & /sbin/ifconfig INFECTED (

bicoba 06-07-2006 05:45 AM

Chkroot scan - /sbin/init & /sbin/ifconfig INFECTED
I try to reboot my red hat 9.0 (using 'reboot' or 'init 6') and I couldn't do it. So I've made a scan with ./chkrootkit and it shows as result that /sbin/init/ and /sbin/ifconfig were infected. How could I fixe it.


Lenard 06-07-2006 06:01 AM

Keep it off the Internet and restore from backup or re-install the packages from a safe boot (linux rescue or other system boot) and change the passwords.

What did you expect anyhow, RHL9 is old, not supported and has been EOL'd for over two years. Consider this a good oppertunity to install a modern supported Linix OS, with keeping with the Red Hat family try CentOS or Fedora Core.

nx5000 06-07-2006 06:38 AM

Format and reinstall a patched (recent or do it yourself) distro.

unSpawn 06-07-2006 06:41 AM

First of all welcome to LQ. I'm sorry to see it had to be on such a sad occasion.

Like the others said, you have been running a blisteringly old release of Red Hat. 6.x was not only superseded by the (rather good) 7.x series one millennium ago, but the 6 series are about the most exploited ever. I am not against running legacy versions, but you have to know exactly what you do and at least run 7.x because Fedora Legacy still has updates for that. Secondly, if you have problems it is more helpful, "better" to post exact errors and messages instead of aproximations.

shows as result that /sbin/init/ and /sbin/ifconfig were infected.
As far as /sbin/init is concerned the most common corruptor (still?) is SuckIT.
As far as /sbin/ifconfig is concerned the most common corruptors are t0rnkit, tuxkit, like that, but to determine which one we would need to see the exact output from Chkrootkit.

Now rootkits can be cleaned up after, but more importantly (and most likely) they got hold of available login/passwd combo's and any personal/company data. If this box is a private standalone, other systems you access should be informed and checked too. If this box is part of an institutional or company network you have to inform reponsable IT personnel ASAP, preferably from another box.

If there is (depending on your situation) no IT personnel around you should do the following immediately if you have physical access to the box:
- shut down or power off the box or yank the power cable,
- only boot it again with a LiveCD like KNOPPIX to backup any human readable data (no binaries),
- normally we would make a bit-by-bit copy of the harddisk at this point before nuking it to investigate point of entry etc, etc, but by running 6.x that seems rather useless but you still may do so,
- completely wipe the harddrive. Then re-partition, re-format and re-install a (recent!) release of your O.S.
If the box is in colo, ask the colo people to handle backup, re-partition, re-format and re-installation of a recent release.
When done re-installing, make sure to change all login/passwords and properly harden your box Check out the LQ FAQ: Security references, post #1 under Checklists, Securing and Hardening.

Frequently Answered Questions:
Can I avoid the three R's?

No you can not. Re-partitioning, re-formatting and re-installing is vital to restore trust here.

But I don't have a recent release of CentOS/RHEL/Fedora Core
You can get .iso images online or tacked to a Linux magazine.
Whatever you do DO NOT load O.S. releases that have reached their End Of Life.

Surely there is no need for speed?
Yes there is. As long as the box is "live" in it's current corrupted state it is not only a threat to you but also to all of us.

What data should I backup?
It depends on what's there. Best is to stay with data that can be verified (by visual inspection or against a backup, or alike). Avoid system binaries: you won't need them anyway.

Any questions, just ask away.

bicoba 06-07-2006 10:16 AM

Thanks for your help.
I'm using the box as proxy server only to access to internet. No data retrieved on it. I think that I will reinstall on the box debian. That will be better.
Thanks & Regards

All times are GMT -5. The time now is 03:07 AM.